But I don’t know what the right way is:

Networking and web security giant Cloudflare says the recent 8chan controversy may be an ongoing “risk factor” for its business on the back of its upcoming initial public offering. […]
8chan became the second customer to have its service cut off by Cloudflare in the aftermath of the attacks. The first and other time Cloudflare booted one of its customers was neo-Nazi website The Daily Stormer in 2017, after it claimed the networking giant was secretly supportive of the website.
Cloudflare, which provides web security and denial-of-service protection for websites, recognizes those customer cut-offs as a risk factor for investors buying shares in the company’s common stock. […]
Cloudflare had long taken a stance of not policing who it provides service to, citing freedom of speech. In a 2015 interview with ZDNet, chief executive Matthew Prince said he didn’t ever want to be in a position where he was making “moral judgments on what’s good and bad,” and would instead defer to the courts. […]
Cloudflare has also come under fire in recent months for allegedly supplying web protection services to sites that promote and support terrorism, including al-Shabaab and the Taliban, both of which are covered under U.S. Treasury sanctions.
In response, the company said it tries “to be neutral,” but wouldn’t comment specifically on the matter.

(Via Cloudflare says cutting off customers like 8chan is an IPO ‘risk factor’ by Zack Whittaker)

I am mixed on this takedown even after a solid week of reflection. There is no doubt in my mind that 8chan is toxic and a blight on humanity, and the same with The Daily Stormer. I’m happy they aren’t being protected by CloudFlare.

However, I don’t like that:
– there’s no oversight into these takedowns;
– CloudFlare acted from public pressure (well, social media pressure), and the mob is oft not rational (or real);
– and, from a technical perspective, these instances offer a problematic precedence.

CloudFlare and similar companies are almost as core to the Internet’s function these days as DNS and NTP. My site is protected by CloudFlare, in fact (and in full disclosure, etc.). They and their competitors are akin to an active Internet insurance policy. Denying core-adjacent functionality and insurance to sites because the sites are reprehensible in giving the dregs of society a place to congregationally amplify their hate seems a no-brainer on first blush. But it also helps lay out a blueprint for blocking sites for far less.

Sadly, I don’t know how I would feel better about or how I would solve this. I’m open to constructive discussion.

To be clear: I agree wth CloudFlare on their actions in regard to 8chan and The Daily Stormer. I would like the actions to get codified into a documented policy.

Today I learned that ZIP Codes do not strictly represent geographic areas but rather “address groups or delivery routes”.
> Despite the geographic derivation of most ZIP Codes, the codes themselves do not represent geographic regions; in general, they correspond to address groups or delivery routes. As a consequence, ZIP Code “areas” can overlap, be subsets of each other, or be artificial constructs with no geographic area (such as 095 for mail to the Navy, which is not geographically fixed). In similar fashion, in areas without regular postal routes (rural route areas) or no mail delivery (undeveloped areas), ZIP Codes are not assigned or are based on sparse delivery routes, and hence the boundary between ZIP Code areas is undefined. […]
ZIP Codes are therefore not that reliable when doing geospatial analysis of data:
> Even though there are different place associations that probably mean more to you as an individual, such as a neighborhood, street, or the block you live on, the zip code is, in many organizations, the geographic unit of choice. It is used to make major decisions for marketing, opening or closing stores, providing services, and making decisions that can have a massive financial impact.
> The problem is that zip codes are not a good representation of real human behavior, and when used in data analysis, often mask real, underlying insights, and may ultimately lead to bad outcomes. To understand why this is, we first need to understand a little more about the zip code itself.

(Via The Bear with Its Own ZIP Code by Jason Kottke)

I ran into this a decade ago, plus or minus a few years, when trying to come up with a good mechanism for imprecisely denoting the general location of network equipment. One idea had been to use the ZIP code or outside-of-the-US postal equivalent in device naming or SNMP strings. I determined ZIP codes and their analog are useful in postal delivery but are not good for asset and information management. I think there was a substantial cost for a database with every possible Earthly postal code, which would have been a massive overkill for the need.

It’s worth checking if the rules we hold dear, and fast to are helping the people we serve.

Rules Checklist

  • Why does this rule exist?
  • Does this rule benefit the majority of our customers? How?
  • Do we have difficulty looking people in the eye when we explain this rule? Why?
  • What story does this rule tell the customer [and ourselves] about our values?
  • How does this rule make us better?
  • What would happen if we scrapped this rule?

Doing what’s accepted or expected isn’t necessarily the right thing to do.

(Via The Story of Telling)

I like this.

On ‘Experts’

This is a good post from Om Malik where he talks about what makes an expert:

Just because someone labels you as an “expert” doesn’t mean you are one. People get a lot of credit these days for stumbling onto things that may very well have happened had they been standing there or not. In addition to luck and talent, it takes time to become actually good or great at something. It’s not so much the 10,000-hour theory that is popular these days, but rather it’s about learning the lessons that only time can reveal.

Most ‘experts’ are fake. If you call yourself an expert, you are certainly lying to everyone and yourself. True experts are hard to find, because they are focused on their craft so intensely, that you rarely know who they are. At least that has been my experience.

(Via The Brooks Review Member Feed)

This struck me after having read Brian Krebs’ article about Marcus Hutchins, the guy who was responsible for both stopping the spread of the global WannaCry ransomware outbreak in 2017 and spreading the “Kronos” banking trojan in his younger days. Krebs describes Hutchins as an “accidental hero”, a “security enthusiast”, and a “security expert”. The middle one is probably the most correct of the bunch, but “security professional” is best.

The hero descriptor is perhaps more egregious than an expert label. We, in general, throw hero around far too liberally. In the WannaCry case, Hutchins was not unique in his discovery. He was first. Hutchins did not display exceptional courage, nobility, or strength when he registered the domain for DNS sinkhole-ing the malware. He did spend money and time, and he benefitted a lot of people, organizations, and companies through his swift action.

I value Krebs’ reporting and the risks he takes when writing some of his pieces, but I did not care for this. Let’s temper descriptors, shall we?

The FTC Pleads With Claimants to Accept Credit Monitoring After Pitiful Equifax Money Pot Empties — Pixel Envy:

Consumers could never be fully compensated for the impact of this breach, but announcing this as a settlement of over $575 million with $300 million going towards credit monitoring services is misleading at best. Equifax also did not have to admit culpability, and the CEO responsible retired with a compensation package with a minimum $18 million value — more than half this $31 million pot that could be split between 147 million affected consumers.

This settlement is infuriating and insulting.

Couldn’t have said it better.

Security Monitor by Riccardo Mori:

Now I’ve switched to ‘active distrust’ mode towards Apple. I don’t feel 10.14 Mojave brings anything particularly useful to me, and 10.15 Catalina even less so. Nothing really worth leaving High Sierra and its general stability behind. Everything I’m reading about Catalina, the experiences of those valiant people trying out the beta, and the technical observations of the more expert users and Mac developers, gives me the impression that Catalina is perhaps the first version of Mac OS that is more useful to Apple rather than their users, if you get my drift.

I can’t agree more. My personal machines – a 2011 Mac Mini Server and 2015 MacBook Pro are still on High Sierra because Apple is IMHO no more reliable than any other vendor. My work 2015 MacBook Air is force updated by the CIO Office to the latest macOS release – major, minor, and supplemental – to the point where internal sites are filling up with complaints about forced reboots during client meetings, presentations, customer maintenance, end-of-month/-quarter activities, and other sensitive moments.

Which makes me wonder yet again: why do people forget about availability when talking about security?

No clue what to do about it, but sure something should be done about it, and picking the wrong thing to do about it: the Trump administration in a nutshell. There’s already been a “sensational case” – the San Bernadino one in 2016 – and the FBI paid an Israeli company about $1m to break into the iPhone in question, to find nothing useful. There was more, and better, data on the terrorists’ Facebook profiles.
unique link to this extract

(Via The Overspill)

Similar to my earlier post on AG Barr’s complete lack of understanding about how encryption actually works and benefits the entire economy.

The Sorry State of Cybersecurity Imagery – Lawfare:

The state of cybersecurity imagery is, in a word, abysmal. A simple Google Image search for the term proves the point: It’s all white men in hoodies hovering menacingly over keyboards, green “Matrix”-style 1s and 0s, glowing locks and server racks, or some random combination of those elements—sometimes the hoodie-clad men even wear burglar masks. Each of these images fails to convey anything about either the importance or the complexity of the topic—or the huge stakes for governments, industry and ordinary people alike inherent in topics like encryption, surveillance and cyber conflict. […]

This dearth of quality cyber imagery is a problem because it’s hard to wrap your head around something you can’t visualize. For too many people, the stereotypical hackers and hackneyed “computer” iconography the term “cybersecurity” conjures up are indicative of the blank space where greater understanding needs to be. The lack of visual storytelling language is not that surprising given the immaturity of the cyber policy field and its multidisciplinary nature. That is—the combination of technical, legal, policy, business and other dimensions of cybersecurity—makes a nuanced and sophisticated conversation difficult, whether communicating with words or pictures.

Amen! I’m pleased my employer largely ditched the cliché imagery in our materials and marketing. But there is still so much garbage out there.

I’m particularly pleased and surprised by this, again in the same article, which I recommend you read:

The Cyber Visuals Challenge launching today will help begin to answer those questions. Whatever the answers to them, we’re confident that the visual creators who take part will give us all something to think about and help move the state of cyber imagery beyond the tired hackers-in-hoodies visual clichés that fill stock image libraries today. 

Citrix Completes Investigation into Data Breach:

“Unfortunately, this is analogous to rearranging deck chairs on the Titanic,” Arshad Noor, CTO of StrongKey, told SecurityWeek. “Passwords are not just old, they are ancient – created for the mainframe to enable chargeback controls for time-sharing in the 1960s. That multi-billion-dollar companies continue to use this archaic technology to protect a multi-trillion-dollar economy is an anachronism of the 21st century. I would strongly encourage Citrix – and others – to look at FIDO Alliance’s new protocol (FIDO2) towards eliminating passwords entirely from their web and mobile infrastructure; it is a 21st century technology designed for a 21st century landscape.”

(Via SecurityWeek RSS Feed)

The Citrix breach is nothing new. In fact, they did what everyone seems to do these days: global password reset instead of fixing the problem. There are so many better ways to authenticate users these days. It would be good to see companies look into leveraging them to improve their customers’ security.

The quote above sums things up nicely. There is no perfect solution. But there is better and that should be the goal.

Come for the badge cloning, stay for the ☕.

Get Your Badge Cloned at Black Hat USA 2019 – YouTube:

Brief video from my buddy and colleague David Bryan, a.k.a. @_videoman_, from X-Force Red.

Come by Black Hat Booth #2104 & tell him the Tokyo Gringo sent you. When he doesn’t know who that is, say it’s me.